91362bc7eecb2f2db215e24c3216ab454ca001cb8198b8497ee51353ad8406f0

Analysis

max time kernel
150s
max time network
134s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
06/08/2024, 00:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

91362bc7eecb2f2db215e24c3216ab454ca001cb8198b8497ee51353ad8406f0.exe
Size

103KB
MD5

6e49b13755b14b7b2c74f40946241f82
SHA1

4c1cfa715105c50e6bcf2976efec13609cba0d87
SHA256

91362bc7eecb2f2db215e24c3216ab454ca001cb8198b8497ee51353ad8406f0
SHA512

150bdc7a4c35cfa62e549cb9bd52c16217fe8f6b7025fb1f0738a54f45680edc6e5d8d7a608f5383446939e140abbc0b6879a99a78b0ef9fb94318c3e4934d09
SSDEEP

1536:V7Zf/FAxTWoJJZENTBQTnTqQtIGHv1d4x2jwg8yZVUKo5R:fny1tEmTqQ1P1m48wWV5R

Score

9^/10

discovery ransomware upx

Malware Config

Signatures

Renames multiple (4833) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/3104-0-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral2/files/0x000900000002360b-2.dat	upx
behavioral2/files/0x000600000001690a-6.dat	upx
behavioral2/memory/3104-1752-0x0000000000400000-0x000000000040B000-memory.dmp	upx

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\es\PresentationFramework.resources.dll.tmp	91362bc7eecb2f2db215e24c3216ab454ca001cb8198b8497ee51353ad8406f0.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\it\System.Windows.Controls.Ribbon.resources.dll.tmp	91362bc7eecb2f2db215e24c3216ab454ca001cb8198b8497ee51353ad8406f0.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\zh-Hans\ReachFramework.resources.dll.tmp	91362bc7eecb2f2db215e24c3216ab454ca001cb8198b8497ee51353ad8406f0.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\javaws.jar.tmp	91362bc7eecb2f2db215e24c3216ab454ca001cb8198b8497ee51353ad8406f0.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioStdVL_MAK-ul-phn.xrm-ms.tmp	91362bc7eecb2f2db215e24c3216ab454ca001cb8198b8497ee51353ad8406f0.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ODBC Drivers\Salesforce\lib\LibCurl64.DllA\OpenSSL64.DllA\libssl-1_1-x64.dll.tmp	91362bc7eecb2f2db215e24c3216ab454ca001cb8198b8497ee51353ad8406f0.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\es-ES\tipresx.dll.mui.tmp	91362bc7eecb2f2db215e24c3216ab454ca001cb8198b8497ee51353ad8406f0.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\pt-BR\ReachFramework.resources.dll.tmp	91362bc7eecb2f2db215e24c3216ab454ca001cb8198b8497ee51353ad8406f0.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\Locales\pt-BR.pak.tmp	91362bc7eecb2f2db215e24c3216ab454ca001cb8198b8497ee51353ad8406f0.exe
File created	C:\Program Files\Java\jre-1.8\bin\net.dll.tmp	91362bc7eecb2f2db215e24c3216ab454ca001cb8198b8497ee51353ad8406f0.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019MSDNR_Retail-pl.xrm-ms.tmp	91362bc7eecb2f2db215e24c3216ab454ca001cb8198b8497ee51353ad8406f0.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PublisherR_Grace-ppd.xrm-ms.tmp	91362bc7eecb2f2db215e24c3216ab454ca001cb8198b8497ee51353ad8406f0.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\ExcelLogoSmall.scale-80.png.tmp	91362bc7eecb2f2db215e24c3216ab454ca001cb8198b8497ee51353ad8406f0.exe
File created	C:\Program Files\Microsoft Office\root\Office16\msvcp120.dll.tmp	91362bc7eecb2f2db215e24c3216ab454ca001cb8198b8497ee51353ad8406f0.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-crt-convert-l1-1-0.dll.tmp	91362bc7eecb2f2db215e24c3216ab454ca001cb8198b8497ee51353ad8406f0.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\TabIpsps.dll.tmp	91362bc7eecb2f2db215e24c3216ab454ca001cb8198b8497ee51353ad8406f0.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ko\WindowsFormsIntegration.resources.dll.tmp	91362bc7eecb2f2db215e24c3216ab454ca001cb8198b8497ee51353ad8406f0.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\tr\ReachFramework.resources.dll.tmp	91362bc7eecb2f2db215e24c3216ab454ca001cb8198b8497ee51353ad8406f0.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\ClientVolumeLicense_eula.txt.tmp	91362bc7eecb2f2db215e24c3216ab454ca001cb8198b8497ee51353ad8406f0.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.OAuth.dll.tmp	91362bc7eecb2f2db215e24c3216ab454ca001cb8198b8497ee51353ad8406f0.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.sl-si.dll.tmp	91362bc7eecb2f2db215e24c3216ab454ca001cb8198b8497ee51353ad8406f0.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ja\UIAutomationClient.resources.dll.tmp	91362bc7eecb2f2db215e24c3216ab454ca001cb8198b8497ee51353ad8406f0.exe
File created	C:\Program Files\Java\jre-1.8\bin\ktab.exe.tmp	91362bc7eecb2f2db215e24c3216ab454ca001cb8198b8497ee51353ad8406f0.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\MondoR_BypassTrial180-ul-oob.xrm-ms.tmp	91362bc7eecb2f2db215e24c3216ab454ca001cb8198b8497ee51353ad8406f0.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\ja-JP\tipresx.dll.mui.tmp	91362bc7eecb2f2db215e24c3216ab454ca001cb8198b8497ee51353ad8406f0.exe
File created	C:\Program Files\Java\jdk-1.8\lib\ir.idl.tmp	91362bc7eecb2f2db215e24c3216ab454ca001cb8198b8497ee51353ad8406f0.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\msotdintl.dll.tmp	91362bc7eecb2f2db215e24c3216ab454ca001cb8198b8497ee51353ad8406f0.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-crt-math-l1-1-0.dll.tmp	91362bc7eecb2f2db215e24c3216ab454ca001cb8198b8497ee51353ad8406f0.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Reflection.Primitives.dll.tmp	91362bc7eecb2f2db215e24c3216ab454ca001cb8198b8497ee51353ad8406f0.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\client_eula.txt.tmp	91362bc7eecb2f2db215e24c3216ab454ca001cb8198b8497ee51353ad8406f0.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\QuickStyles\centered.dotx.tmp	91362bc7eecb2f2db215e24c3216ab454ca001cb8198b8497ee51353ad8406f0.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-core-localization-l1-2-0.dll.tmp	91362bc7eecb2f2db215e24c3216ab454ca001cb8198b8497ee51353ad8406f0.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusiness2019R_OEM_Perp3-ppd.xrm-ms.tmp	91362bc7eecb2f2db215e24c3216ab454ca001cb8198b8497ee51353ad8406f0.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectProCO365R_Subscription-ul-oob.xrm-ms.tmp	91362bc7eecb2f2db215e24c3216ab454ca001cb8198b8497ee51353ad8406f0.exe
File created	C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGMN111.XML.tmp	91362bc7eecb2f2db215e24c3216ab454ca001cb8198b8497ee51353ad8406f0.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\javafx.properties.tmp	91362bc7eecb2f2db215e24c3216ab454ca001cb8198b8497ee51353ad8406f0.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\PresentationCore.dll.tmp	91362bc7eecb2f2db215e24c3216ab454ca001cb8198b8497ee51353ad8406f0.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\cs\Microsoft.VisualBasic.Forms.resources.dll.tmp	91362bc7eecb2f2db215e24c3216ab454ca001cb8198b8497ee51353ad8406f0.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdR_Retail-ul-phn.xrm-ms.tmp	91362bc7eecb2f2db215e24c3216ab454ca001cb8198b8497ee51353ad8406f0.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\ONENOTE_COL.HXT.tmp	91362bc7eecb2f2db215e24c3216ab454ca001cb8198b8497ee51353ad8406f0.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Text.Json.dll.tmp	91362bc7eecb2f2db215e24c3216ab454ca001cb8198b8497ee51353ad8406f0.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusiness2019R_OEM_Perp4-ppd.xrm-ms.tmp	91362bc7eecb2f2db215e24c3216ab454ca001cb8198b8497ee51353ad8406f0.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Microsoft.Data.ConnectionUI.dll.tmp	91362bc7eecb2f2db215e24c3216ab454ca001cb8198b8497ee51353ad8406f0.exe
File created	C:\Program Files\Microsoft Office\root\Office16\api-ms-win-core-timezone-l1-1-0.dll.tmp	91362bc7eecb2f2db215e24c3216ab454ca001cb8198b8497ee51353ad8406f0.exe
File created	C:\Program Files\Microsoft Office\root\Office16\api-ms-win-crt-multibyte-l1-1-0.dll.tmp	91362bc7eecb2f2db215e24c3216ab454ca001cb8198b8497ee51353ad8406f0.exe
File created	C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGMN026.XML.tmp	91362bc7eecb2f2db215e24c3216ab454ca001cb8198b8497ee51353ad8406f0.exe
File created	C:\Program Files\Common Files\System\Ole DB\sqlxmlx.rll.tmp	91362bc7eecb2f2db215e24c3216ab454ca001cb8198b8497ee51353ad8406f0.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\zh-Hans\PresentationCore.resources.dll.tmp	91362bc7eecb2f2db215e24c3216ab454ca001cb8198b8497ee51353ad8406f0.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\Microsoft.Win32.SystemEvents.dll.tmp	91362bc7eecb2f2db215e24c3216ab454ca001cb8198b8497ee51353ad8406f0.exe
File created	C:\Program Files\Java\jre-1.8\bin\jp2ssv.dll.tmp	91362bc7eecb2f2db215e24c3216ab454ca001cb8198b8497ee51353ad8406f0.exe
File created	C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.common.16.xml.tmp	91362bc7eecb2f2db215e24c3216ab454ca001cb8198b8497ee51353ad8406f0.exe
File created	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Effects\Top Shadow.eftx.tmp	91362bc7eecb2f2db215e24c3216ab454ca001cb8198b8497ee51353ad8406f0.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_Retail3-pl.xrm-ms.tmp	91362bc7eecb2f2db215e24c3216ab454ca001cb8198b8497ee51353ad8406f0.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\fr\UIAutomationClientSideProviders.resources.dll.tmp	91362bc7eecb2f2db215e24c3216ab454ca001cb8198b8497ee51353ad8406f0.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\fr\System.Windows.Forms.Design.resources.dll.tmp	91362bc7eecb2f2db215e24c3216ab454ca001cb8198b8497ee51353ad8406f0.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\fr\WindowsBase.resources.dll.tmp	91362bc7eecb2f2db215e24c3216ab454ca001cb8198b8497ee51353ad8406f0.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\it\UIAutomationClientSideProviders.resources.dll.tmp	91362bc7eecb2f2db215e24c3216ab454ca001cb8198b8497ee51353ad8406f0.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessPipcR_OEM_Perp-pl.xrm-ms.tmp	91362bc7eecb2f2db215e24c3216ab454ca001cb8198b8497ee51353ad8406f0.exe
File created	C:\Program Files\Common Files\System\ado\msader15.dll.tmp	91362bc7eecb2f2db215e24c3216ab454ca001cb8198b8497ee51353ad8406f0.exe
File created	C:\Program Files\Common Files\microsoft shared\VSTO\10.0\1033\VSTOInstallerUI.dll.tmp	91362bc7eecb2f2db215e24c3216ab454ca001cb8198b8497ee51353ad8406f0.exe
File created	C:\Program Files\Java\jdk-1.8\legal\javafx\public_suffix.md.tmp	91362bc7eecb2f2db215e24c3216ab454ca001cb8198b8497ee51353ad8406f0.exe
File created	C:\Program Files\Java\jre-1.8\lib\fonts\LucidaSansDemiBold.ttf.tmp	91362bc7eecb2f2db215e24c3216ab454ca001cb8198b8497ee51353ad8406f0.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessPipcDemoR_BypassTrial365-ul-oob.xrm-ms.tmp	91362bc7eecb2f2db215e24c3216ab454ca001cb8198b8497ee51353ad8406f0.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\MondoVL_MAK-pl.xrm-ms.tmp	91362bc7eecb2f2db215e24c3216ab454ca001cb8198b8497ee51353ad8406f0.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	91362bc7eecb2f2db215e24c3216ab454ca001cb8198b8497ee51353ad8406f0.exe

C:\Users\Admin\AppData\Local\Temp\91362bc7eecb2f2db215e24c3216ab454ca001cb8198b8497ee51353ad8406f0.exe
"C:\Users\Admin\AppData\Local\Temp\91362bc7eecb2f2db215e24c3216ab454ca001cb8198b8497ee51353ad8406f0.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:3104

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=944,i,2904906934812054273,11716976550456127484,262144 --variations-seed-version --mojo-platform-channel-handle=4360 /prefetch:8
1⤵
PID:1940

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-2170637797-568393320-3232933035-1000\desktop.ini.tmp

Filesize
103KB

MD5
64cc790ad718ed22920cb82262513a94

SHA1
3aa4c4a451c874fcd03696c487dfceb311f987b3

SHA256
3b7f31623537a554952c5379873cd969fe474d0474c5ec9864fbcd4fc802bd6a

SHA512
c97b9af291ba1bdac55b40fdaca13399cff34699d512243d2761f26683f03d492987fbd12789f87a60c598a0c85ade740a4eee432fcec621fe0abeec0f401de9

Download Submit
C:\Program Files\7-Zip\7-zip.chm.tmp

Filesize
216KB

MD5
c2f95eea5703bf3b191c92f4749450c0

SHA1
f577f019db6019086d13f52967b39723d08ffff9

SHA256
c94956b6ddff9132e5ea220207f960d13d1d3c46da2922aa6d16cf46f9ebf14c

SHA512
a4e54774f18452593727f6e97027a474d5a041bced59d9ca55ab7bf5cf5e9aa4ead34f1e22166ff2be518da7660a093d2134ae75c9498195042f3a364bf37a10

Download Submit
memory/3104-0-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/3104-1752-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download